b'GENERAL SERVICES ADMINISTRATION\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n         AUDIT OF BUILDING ACCESS THROUGH\n                    SMART CARDS\n         REPORT NUMBER A040111/P/R/R05002\n                   January 14, 2005\n\x0c\x0c        AUDIT OF BUILDING ACCESS THROUGH SMART CARDS\n               REPORT NUMBER A040111/R/P/R05002\n\n                           TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY                                                        i\n\nINTRODUCTION                                                             1\n\n     Background                                                          1\n\n     Objectives, Scope, and Methodology                                  3\n\nRESULTS OF AUDIT                                                         4\n\n     PBS has Made Progress but More Needs to be Done                     4\n\n           Lack of Supporting Infrastructure                             5\n\n           Inconsistent Controls                                         6\n\n     The Smart Card Implementation will be Impeded by Several Factors    8\n\n           Need to Integrate and Coordinate the Agency\xe2\x80\x99s Security\n           Practices                                                     8\n\n           Interoperability Issues                                       9\n\n           Procurement Issues                                           10\n\n     The Smart Card Implementation will be Impacted by Recent\n     Developments.                                                      12\n\n     Conclusion                                                         14\n\n     Recommendations                                                    15\n\n     Management Controls                                                16\n\n     Management Comments                                                16\n\nAPPENDICES\n\n     Management\xe2\x80\x99s Response                                              A-1\n\n     Report Distribution                                                B-1\n\x0c          AUDIT OF BUILDING ACCESS THROUGH SMART CARDS\n                 REPORT NUMBER A040111/R/P/R05002\n\nEXECUTIVE SUMMARY\n\nPurpose\nThe audit objective was to determine whether the Public Buildings Service (PBS)\nis effectively implementing a smart card credential program for security over\nphysical access to facilities managed by the General Services Administration\n(GSA).\n\nBackground\nSmart card technology is attractive because it can provide secure and accurate\nidentity verification in the convenience of a small plastic card making it ideal for\nelectronic commerce, logical access to information systems, and physical access\nto facilities. Within the Federal government, the objective of adopting smart card\ntechnology was to enable all employees to use one card for a wide range of\npurposes, including travel, small purchases, and building access. Although GSA\nhas provided guidance and procurement vehicles for agencies to implement\nsmart cards, until recently it had made only limited progress in implementing\nsmart cards within the agency.\n\nResults in Brief\nPBS\xe2\x80\x99s effectiveness in implementing an agency-wide credential using smart card\ntechnology has been mixed. Recently, PBS established a uniform agency\ncredential with smart card capabilities and began to issue these card credentials.\nHowever, the implementation of the smart card credentials is hindered by the lack\nof a vision for incorporating the smart card credential as a component of agency-\nwide security. As a result, the credentialing program will have only a limited\nimpact on the security over physical access to buildings and facilities due to a\nvariety of factors including inconsistent controls and a lack of supporting\ninfrastructure. Further, other aspects of the smart card initiative such as\nintegrated security practices, interoperability, and procurement issues will also be\nproblematic for an effective implementation. Moreover, PBS\xe2\x80\x99s efforts will be\nimpacted by a new Presidential directive on identification standards for Federal\nemployees and contractors as well as the Federal Protective Service (FPS)\nproject that will oversee smart card access to buildings and facilities.\n\nRecommendations\nWe recommend that PBS coordinate with other agency officials in the\ndevelopment of the vision, goals, and scope for GSA\xe2\x80\x99s smart card implementation\nas part of the agency\xe2\x80\x99s security protocol; use the vision, goals, and scope to\nreassess the smart card credential requirements and determine the estimated\nfunding needs for GSA\xe2\x80\x99s smart card credential including the costs for\nimplementation, operations, and infrastructure; reestablish a physical security\nfunction within the PBS organization; re-evaluate and improve the management\ncontrols related to smart cards and issue additional detailed guidance as\n\n\n                                         i\n\x0cnecessary; and ensure smart card credential and physical access system\nprocurements comply with acquisition regulations and policies, including\ncompetition.\n\nManagement Comments\nIn his January 7, 2005 response to the draft audit report (see Appendix A), the\nCommissioner of the Public Buildings Service (P) indicates concurrence with the\nreport recommendations.\n\n\n\n\n                                       ii\n\x0c              AUDIT OF BUILDING ACCESS THROUGH SMART CARDS\n                     REPORT NUMBER A040111/R/P/R05002\n\nINTRODUCTION\n\nBackground\n\nSmart card technology is attractive because it can provide secure and accurate\nidentity verification in the convenience of a small plastic card. A Smart Card\nresembles a credit card in shape and size and is embedded with an integrated\ncircuit chip that acts as a microcontroller or computer. The chip interacts with a\ncard reader to transact a process and provides the necessary components of\nsystem security for the exchange of data throughout almost any type of network.\nWhile smart card technology has many applications, the enhanced level of\nsecurity it provides makes it ideal for electronic commerce, logical access to\ninformation systems, and physical access to facilities.\n\nThe impetus for applying smart card technology to government operations has\nbeen the past and current Administrations\xe2\x80\x99 push to exploit information\ntechnology, increase efficiency, streamline organizations, and eliminate barriers\nbetween organizations. The objective of adopting smart card technology was \xe2\x80\x9c\xe2\x80\xa6\nso that ultimately, every employee will be able to use one card for a wide range of\npurposes, including travel, small purchases, and building access.\xe2\x80\x9d1 To shepherd\nthis transition to smart card technology, the Office of Management and Budget\nrequested that the General Services Administration (GSA) take the lead in\nworking with departments and agencies to develop the Federal business tools of\nelectronic commerce and the government card services in the Federal\nGovernment in July 1996.\n\nGSA\xe2\x80\x99s Role in Smart Cards\n\nGSA has done several things to assist the adoption of smart cards. In August\n1998, it established the Office of Smart Card Initiatives within the Administrator\xe2\x80\x99s\nOffice to oversee the implementation of smart cards government-wide, as well as\nput GSA in the forefront of implementing an in-house smart card program. In\naddition, GSA implemented a pilot program to test Government smart cards and\nrelated systems. In July 1999, the Office of Smart Card Initiatives was\ntransferred to the Federal Technology Service (FTS). Under FTS, GSA\nestablished the smart card business line and subsequently awarded the Smart\nIdentification Card contract that provides Federal agencies with access to smart\ncard services, project management, training assistance, and support. Despite\nthis advancement as a business line, GSA\xe2\x80\x99s internal implementation of smart\ncards made little progress.\n\n\n\n1\n    The Presidential Budget for Fiscal Year 1998\n\n\n                                              Page 1\n\x0cOn January 23, 2001, in response to an audit of GSA\xe2\x80\x99s internal smart cards\nimplementation,2 GSA transferred the responsibility for implementing GSA\xe2\x80\x99s\ninternal smart card program from FTS to the Office of the Chief People Officer\n(CPO). Under this initiative, CPO established a Smart Card Working Group that\nincluded representatives from multiple organizations including CPO, the Office of\nthe Chief Financial Officer, the Office of the Chief Information Officer, the Office\nof Governmentwide Policy (OGP), FTS, the Public Buildings Service (PBS), and\nmost regions. However, this effort stalled when a fiscal year 2003 funding\nrequest of $900,000 to implement smart cards in GSA\xe2\x80\x99s Central Office was not\napproved. Finally, on August 15, 2003, PBS was charged with developing and\nmanaging the GSA nationwide credential and building pass program based on\nsmart card technology.\n\nIn the fall of 2003 as PBS was moving forward, a pilot project initiated by the\nNortheast and Caribbean Region (Region 2) implemented a smart card system in\ntwo multi-tenant buildings in New York City. Using a project team that included\nrepresentatives from PBS, FTS, and the Federal Protective Service, it has issued\nSmart Card identification to all GSA employees as well as tenant agency\npersonnel in the buildings and equipped the buildings with readers and\nbarriers/portals. The smart card identifications are used alone to allow entry\nthrough the barriers/portals and in conjunction with a personal identification\nnumber and/or biometric fingerprint during heightened periods of alert.\n\nFederal Smart Card Activities\n\nThe development of smart card technology is dynamic and the Federal\ngovernment is attempting to establish uniform standards. To date, several\nagencies and organizations within the Federal government have been issuing\nguidance, policies, and specifications for smart cards. Key activities include the\nfollowing:\n    \xe2\x80\xa2 In August 2004, the White House issued a Homeland Security Presidential\n       Directive3 to establish a mandatory, Government-wide standard for secure\n       and reliable forms of identification issued by the Federal Government to its\n       employees and contractors.\n    \xe2\x80\xa2 The GSA\xe2\x80\x99s OGP has issued the Government Smart Card Handbook to\n       share lessons learned and provide guidance to Federal agencies\n       contemplating the development and deployment of smart card identity\n       systems. This handbook was first issued in October 2000 and an update\n       was released in February 2004.\n    \xe2\x80\xa2 The National Institute of Standards and Technology (NIST) leads the\n       development of the Government Smart Card \xe2\x80\x93 Interoperability Specification\n       (GSC-IS), which establishes the technical specifications and standards for\n       smart cards in the Federal government. The GSC-IS provides solutions to\n\n2\n  Review of Smart Card Initiatives, report number A000874/T/W/R00019, dated September 11,\n2000.\n3\n  HSPD-12.\n\n\n                                          Page 2\n\x0c       a number of the interoperability challenges associated with smart card\n       technology. NIST issued version 2.1 of the specification in July 2003.\n   \xe2\x80\xa2   In March 2004, Federal Identity Credentialing Committee (FICC) issued\n       guidance on the use of smart card based technology in badge,\n       identification, and credentialing systems within the Federal sector, to help\n       agencies plan, budget, establish and implement credentialing and\n       identification systems for Federal government employees and their agents.\n       The document applies specifically to the use of smart card based\n       platforms in the credentialing and identification activities of Federal\n       government employees, contractors and affiliates supporting Federal\n       agencies.\n   \xe2\x80\xa2   The Physical Access Interagency Interoperability Working Group\n       (PAIIWG) within the FICC developed a standardized approach for the\n       procurement of physical access control systems and components to\n       ensure that agencies deploy equipment that meet both their specific needs\n       and, at the same time, facilitate cross-agency interoperability. The\n       guidance provides for access systems with low, medium, and high\n       protection profiles.\n\nObjective, Scope, and Methodology\n\nThe audit objective was to determine whether PBS is effectively implementing a\nsmart card credential program for security over physical access to GSA facilities.\nWe performed field work at the National Office and visited four regions: the New\nEngland Region (Region 1), the Northeast and Caribbean Region (Region 2), the\nMid-Atlantic Region (Region 3), and the Great Lakes Region (Region 5).\n\nTo gain an understanding of the program, we held discussions with the PBS\nproject team and with regional representatives involved in the implementation of\nthe program and reviewed applicable guidance. We met with the credentialing\nofficial in the GSA Central Office, Office of Emergency Management. We\nreviewed the PBS task order and other procurements related to the smart card\ncredential implementation. Additionally, we met with the FTS project manager.\nTo gain a better understanding of smart card technology and requirements, we\nalso met with officials in OGP as well as interagency personnel working with the\nInteragency Security Council, the Government Smart Card Interagency Advisory\nBoard, and the FICC. Lastly, we spoke to officials from the Department of\nHomeland Security on their building security initiative.\n\nThe fieldwork was conducted between January and July 2004. The audit was\nperformed in accordance with generally accepted government auditing\nstandards.\n\n\n\n\n                                      Page 3\n\x0c           AUDIT OF BUILDING ACCESS THROUGH SMART CARDS\n                  REPORT NUMBER A040111/R/P/R05002\n\nRESULTS OF AUDIT\n\n\nThe Public Buildings Service\xe2\x80\x99s (PBS) effectiveness in implementing an agency-\nwide credential using smart card technology has been mixed. Recently, PBS\nestablished a uniform agency credential with smart card capabilities and began to\nissue these card credentials. However, the implementation of the smart card\ncredentials is hindered by the lack of a vision for incorporating the smart card\ncredential as a component of agency-wide security. As a result, the credentialing\nprogram will have only a limited impact on the security over physical access to\nbuildings and facilities due to a variety of factors including inconsistent controls\nand a lack of supporting infrastructure. Further, other aspects of the smart card\ninitiative such as integrated security practices, interoperability, and procurement\nissues will also be problematic for an effective implementation. Moreover, PBS\xe2\x80\x99s\nefforts will be impacted by a new Presidential directive on identification standards\nfor Federal employees and contractors as well as the Federal Protective Service\n(FPS) project that will oversee smart card access to buildings and facilities.\n\nPBS has Made Progress but More Needs to be Done\n\nPBS has undertaken the responsibility for developing and implementing a\nnationwide standard credential system using smart card technology for the\nGeneral Services Administration (GSA). PBS led the revision of the Credentials\nand Passes handbook4 to establish a standard credential for nationwide use and\nestablish the technical specifications and topography as well as the\nresponsibilities and accountability for the processing of the credentials. PBS also\nawarded a task order through the GSA Smart Card Contract for smart card\nidentifications and their issuance. To date, PBS has ordered 18,000 cards. In\nJanuary 2004, GSA began registering and enrolling employees in GSA Central\nOffice, including the Federal Technology Service (FTS) and the Federal Supply\nService (FSS), as well as in 3 additional regions5 through a central credentialing\nsystem database set up by the contractor. In May 2004, GSA began issuing\nsmart cards to employees in GSA Central Office and those regions6. In addition,\nthe project team has been working internally with regional personnel to prepare\nfor the registration, enrollment, and issuance process. The project team has also\nbeen working externally with the Federal Identity Credentialing Committee and\nleads the Topology Working Group to develop government wide standards.\n\n\n\n4\n  GSA Order ADM P 7640.2, dated August 15, 2003.\n5\n  The New England (1), Mid-Atlantic (3), and Southeast Sunbelt (4) Regions.\n6\n  As of August 4, 2004, cards had been manufactured for approximately 62% of the employees in\nGSA Central Office and Regions 1, 3, and 4.\n\n\n                                           Page 4\n\x0cAccording to the project team, the goal is to issue the smart card credentials to\nGSA employees, contractors, and tenant agency employees through a central\ncredentialing system database. Then the cards and the database can be used to\ncontrol access to GSA facilities using the smart card features. The database can\nbe used as a control over the card through features such as an automatic\nexpiration date and the ability to terminate a card in the database prior to the\nexpiration date.\n\nThe card has security features for physical access such as a challenge-response\nsystem that enables a specialized reader to validate the card as well as\nidentification information for each employee including a photograph, a fingerprint\nbiometric, and a personal identification number (PIN). The card also includes\nanti-counterfeiting measures such as a hologram, ultra violet ink, and micro\nprinting. These features improve the ability to authenticate both the card and the\ncardholder. What is lacking, however, is a comprehensive vision for identity\nmanagement and agency security to ensure these capabilities are used\noptimally. To date, PBS has concentrated on issuing the credentials; but without\nincorporating the supporting infrastructure and stronger controls, the benefits of\nthe smart card technology will not be achieved and the credentials, in many\nlocations, will be relegated to a picture ID.\n\nLack of Supporting Infrastructure\n\nPBS\xe2\x80\x99s implementation of smart cards will have only a limited impact on the\nphysical access security of GSA facilities in the immediate future because it does\nnot have the infrastructure to use the cards electronic security capabilities nor\nhas it allocated funding to install the infrastructure. In adopting its card, PBS is\nincorporating many technology based security features such as a challenge and\nresponse card validation methodology and a centralized card termination\ncapability, but as cards are issued, only a limited number of buildings will be able\nto take advantage of these capabilities in the near future. According to the PBS\nproject team, PBS plans to equip only major Central Office locations7 and provide\nsome funding to equip one building in each region with smart card access\nsystems. As a result, few buildings will have the infrastructure necessary to\nactually take advantage of the smart card\xe2\x80\x99s security capabilities.\n\nIn addition, PBS has not allocated any funding to install additional systems in the\nfuture. Currently, the smart card implementation does not have a budget and is\noperating on a \xe2\x80\x9cpay as you go\xe2\x80\x9d basis using PBS National Office funds. PBS has\nspent approximately $350,0008 to date for the credentials and their issuance, but\ndoes not have any funds allocated for the access systems or other supporting\n\n7\n  This includes new readers for the GSA Central Office Building and a refitting of the readers at\nFTS locations. Readers for the FSS headquarters will not be installed until it is relocated in FY\n2006.\n8\n  This only includes orders placed by the PBS project team through FTS. It does not include other\ncosts incurred by the project team such as FTS fees, travel, and salaries, nor does it include\nregional expenditures.\n\n\n                                             Page 5\n\x0cinfrastructure. In addition, the project has not taken steps to estimate a budget\nfor the supporting infrastructure. PBS has yet to inventory its buildings\xe2\x80\x99 current\naccess systems or risk ratings to develop an estimate of future funds needed to\nimplement an infrastructure for the GSA smart card credential. As such, the\nfuture costs for access systems will be the responsibility of regional management\nin conjunction with tenant agencies and will not be provided by PBS directly.\n\nAs a result, without a current supporting infrastructure or a funding methodology\nto install the supporting infrastructure, the smart card credentials will primarily be\nused as a picture ID at many locations. Although GSA may benefit from a\nuniform credential that incorporates anti-counterfeiting features and that is\nrecognized nation-wide, it does not optimize the security capabilities of a smart\ncard.\n\nInconsistent Controls\n\nThe smart card program needs consistent controls to ensure the integrity of the\nsystem and these controls must exist within the context of an agency vision of\nhow smart card credentials will be used. The controls for the GSA smart card\ncredential are outlined in the Responsibilities and Accountability sections of the\nCredentials and Passes handbook. However, the handbook provides only a\nbroad framework for the administrative processes of issuing and terminating the\ncredential cards. In addition, many of the policies in the handbook need\nstrengthening as shown in the following examples:\n\n    \xe2\x80\xa2   The smart card credential permits high-level authentication of both the\n        card and the cardholder. However, the issuance process for smart card\n        credentials allows for new employees to obtain a card prior to a\n        background check. GSA\xe2\x80\x99s security policy does not require background\n        checks for most new employees until after they begin working, while the\n        credential policy calls for new employees to be entered into the\n        credentialing database as soon as they are hired and have no\n        requirements for the background check to be completed prior to obtaining\n        a card. Additionally, the credential policy only requires contractors\n        performing work requiring a moderate or high-risk clearance to have a\n        background check or clearance. Several prior audits9 have identified\n        contractor background checks as a security weakness as these\n        clearances often are not performed or updated when required.\n\n    \xe2\x80\xa2   Although the Credentialing Office is required to maintain an electronic\n        system of checks and balances and controls, the credentialing system\n        currently does not have any reporting or querying capabilities that could be\n        used as part of a system of controls or checks and balances10. In fact,\n9\n  Audit Report Numbers A030086/P/2/R04001, A020143/P/5/R03014, A81543/P/5/R99510,\nA995160/P/5/R00007, A001053/P/5/R01020, and A010230/P/5/R02023.\n10\n   The task order specified that the card management system must track ID expiration, application\nand container management, revocation, smart card deactivation, and basic and ad hoc report\n\n\n                                             Page 6\n\x0c        when credentialing officials were verifying individuals prior to card\n        issuance, they could not query the system to identify personnel whose\n        data was incomplete because the database only provides data at the\n        individual level and cannot perform queries at a group level. For example,\n        the system could not be queried to identify personnel who had pictures\n        and fingerprints taken, but had not registered on-line. Moreover, to\n        actually verify the data as correct, the registration data had to be manually\n        verified to information from GSA\xe2\x80\x99s human resource database.\n\n    \xe2\x80\xa2   According to the handbook, the GSA Office of the Chief Information Officer\n        (CIO) has the responsibility for operating and maintaining the credential\n        system hardware and software, as well as being the point of contact for\n        changes to the database. However, although the GSA CIO has agreed to\n        house the credentialing system\xe2\x80\x99s server in its secure space, it has not\n        taken any more responsibility for any other aspects of the system.\n\n    \xe2\x80\xa2   Ensuring updated employee information in the credentialing database is\n        unreliable as it is dependent on GSA employees to submit revisions to\n        their supervisor who submits the data to the Credentialing Office. Data\n        updates would be more reliable if the credentialing system could be\n        updated with data from GSA\xe2\x80\x99s human resource database; however, the\n        PBS task order did not provide for the credentialing system to interact with\n        any GSA systems.\n\n    \xe2\x80\xa2   According to the handbook, supervisors collect the credentials from\n        separating employees and the Office of the Chief People Officer (CPO) will\n        return the credentials to the credentialing office. However, according to a\n        representative from CPO, supervisors are responsible for ensuring\n        separating employees return their credential to the credentialing office.\n\n    \xe2\x80\xa2   The Office of Emergency Management (OEM) is charged with conducting\n        reviews of GSA\xe2\x80\x99s Central Office and the National Capital Region (NCR) to\n        ensure compliance with agency policies and guidance. However, the\n        OEM is the credentialing office for Central Office and has a conflict of\n        interest in reviewing its own operations. In addition, the credentialing\n        official in OEM stated that his authority does not extend to NCR and he\n        would work to revise the handbook.\n\nThe handbook provides only part of the guidance necessary for a successful\nimplementation; an agency vision is needed to provide a contextual framework.\nWe recognize that balancing GSA\xe2\x80\x99s and tenant agencies\xe2\x80\x99 security needs with\npublic access is a complex and difficult task. What we have found though, is that\nkey decisions such as which buildings should have card readers, whether to\nintegrate physical barriers with the authentication process, and when the PIN and\n\ngeneration. However, in a discussion, a representative of the vendor stated that if PBS needed\nreports, the function could be programmed into the system for a fee.\n\n\n                                            Page 7\n\x0cbiometric features should be used are not addressed and are left to the individual\nregions to determine. Further, the regional Credentialing Offices are responsible\nfor establishing agreements with tenant agencies, but there is no guidance with\nregard to what needs to be included in the agreement. Without reliable and\nconsistent policies and procedures, it will be difficult to maintain a strong uniform\napproach to security.\n\nThe Smart Card Implementation will be Impeded by Several Factors\n\nOther factors will also impede PBS\xe2\x80\x99s implementation of smart cards. These\nfactors include the need to integrate the agency\xe2\x80\x99s security practices,\ninteroperability, and procurement issues.\n\nNeed to Integrate and Coordinate the Agency\xe2\x80\x99s Security Practices\n\nPBS\xe2\x80\x99s ability to effectively implement smart card credentials is affected by other\nsecurity responsibilities within the agency that are separate and distinct from\nimplementing the smart card credentials. To obtain the most benefit from this\nimplementation, the agency\xe2\x80\x99s security practices need to be integrated and\ncoordinated with the implementation of the smart card credential at both the\nfunctional and organizational levels. Although, in recent discussions, the Deputy\nCommissioner has indicated that PBS has begun coordinating on these issues\nwith other organizations within the agency, GSA needs to address several\nagency-wide security functions and responsibilities that are necessary to properly\nimplement smart cards.\n\nFor example, personnel security is vital to a smart card implementation because\nit establishes the identity of the smart card recipient and ensures that the\nrecipient meets the suitability requirements to become a government employee\nand receive a card. However, as discussed earlier, GSA\xe2\x80\x99s personnel security\npolicy and procedures, dated January 15, 1998, do not require this determination\nto be made for most GSA positions until an employee has already begun\nworking. As a result, employees may become eligible for a smart card before\ntheir identities are confirmed and their security requirements are investigated.\n\nIn addition, since smart cards can enhance both physical and logical access11\nsecurity, these functions should have representation on the PBS project team so\nthat the program can incorporate their needs. However, GSA has not fully\naddressed these functions within the agency. With regard to physical security,\nFPS handled those policies and practices in the past, but that organization was\ntransferred to the Department of Homeland Security in March 2003. To date,\nGSA has yet to fill this void. Within PBS, the most recent update to its\norganization manual provided for a subject matter expert for security, but the\nposition has not been filled and the function is not being performed. Likewise,\nlogical security function is not being integrated with smart cards either. The GSA\n11\n  Logical security is responsible for access to information technology such as computer networks\nand applications.\n\n\n                                            Page 8\n\x0cCIO IT Strategic Plan calls for the agency to pursue technologies such as smart\ncards that offer solutions to improve logical access control. However, currently,\nGSA is not actively pursuing the use of smart cards for logical security and the\nGSA CIO has not actively participated on the PBS project team.\n\nThe PBS project team also does not have a means to coordinate the smart card\nresponsibilities of other GSA organizations as previously discussed. Although\nPBS is charged with managing the smart card credential and building pass, all\nGSA organizations are stakeholders. Not only is the smart card being issued to\nall GSA employees, but also many organizations will be involved in the smart\ncard operations. According to the handbook, the CPO is responsible for notifying\nthe Credentialing Office of separating employees, the CIO is responsible for\noperating the credentialing system hardware and software, the Office of the\nAdministrator and regional management will be devoting employees to the\nregional credentialing office, and all service and staff offices and regional\nmanagement must designate supervisors who can approve employee\napplications for the smart card credentials. However, these stakeholders are not\nmembers of the project team and so PBS lacks the communication channels\nnecessary to coordinate and collaborate with the other GSA organizations in\nperforming their responsibilities related to the smart card credentials.\n\nInteroperability Issues\n\nThe federal government intends to adopt smart card technologies so that a card\nissued by one agency can be used for a wide range of purposes throughout the\ngovernment. However, the GSA credential includes two features, the fingerprint\nbiometric and the electronic challenge-response card validation, which hinder this\ngoal. The incorporation of these features into physical access control systems\nwill limit the ability of cards issued by other agencies to be used within GSA\nmanaged buildings and facilities.\n\nBiometric Information: According to the Federal Identity and Credentialing\nCommittee (FICC) smart card policy12, each smart card should have the\ncapability for a biometric. However, to date, the federal smart card community\nhas not adopted biometric technical specifications and most vendors offer\nbiometric models that are implemented using proprietary technology, which limits\ninteroperability. Likewise, GSA\xe2\x80\x99s smart card uses a fingerprint biometric that is\nbased on proprietary technology and as such, the interoperability of the GSA\naccess systems will be limited. As there are many variations of biometrics and\nreaders are primarily geared toward one specific version, cards issued by other\nagencies may not have the full capability to access GSA facilities.\n\nChallenge-Response Card Authentication: GSA\xe2\x80\x99s smart cards will employ an\nelectronic challenge-response authentication method, known as the High\n\n12\n Policy Issuance Regarding Smart Card Systems for Identification and Credentialing of\nEmployees issued in March 2004.\n\n\n                                           Page 9\n\x0cAssurance Profile13. This methodology is an enhanced security feature in which\nan encrypted algorithm stored on the card\xe2\x80\x99s memory interacts with a specialized\nreader to verify that the card is valid and issued by a legitimate government\norganization. The readers will reject smart cards that do not have the correct\nalgorithm. The developer of this methodology is a subcontractor on PBS\xe2\x80\x99 task\norder. GSA is one of only a few agencies that have adopted this feature.\n\nAs a result of the adoption of these features, PBS has created a specification for\nGSA buildings that is not readily interoperable with smart cards issued by the\nmajority of other agencies. In fact, GSA is already experiencing interoperability\nissues internally. The GSA Northeast & Caribbean Region (Region 2) began\nimplementing a smart card system at 26 Federal Plaza in New York City prior to\nthe PBS\xe2\x80\x99 initiative and used a different contractor. These cards were distributed\nto all Federal employees in the building \xe2\x80\x93 GSA employees as well as other federal\ntenants. These cards do not have the same biometric as the GSA card and do\nnot have the challenge-response algorithm. As a result, the cards and the card\nreader equipment at 26 Federal Plaza will not be interoperable with the GSA\ncard. Currently, the region is planning to migrate to the GSA credential and\nreplace equipment as necessary.\n\nIn the future, these interoperability issues may be addressed as the policy for a\ncommon identification standard evolves.\n\nProcurement Issues\n\nThe PBS smart card task order had a limited scope. It basically covered the\nequipment and services for the issuance of cards and the readers needed to\nequip one building in each region. However, it did not cover all of the equipment\nnecessary for the issuance nor did it include all of the equipment and services to\ninstall physical access control systems. As a result, regional management has\nbeen procuring equipment and services outside of the PBS task order and this\nhas led to problems with the ordering and pricing of data capture stations as well\nas competition for access systems.\n\nData Capture Stations: To date, several regions have been making\nprocurements for the data collection hardware and software, known as data\ncapture stations. The PBS task order allowed for the purchase of between 2 and\n15 stations. In preparing to issue cards in the regions, PBS stated that it would\nbe supplying each region with one station and that the regions would need to\npurchase additional stations on their own. To meet their needs for additional data\ncapture stations, the regions need to conform to the same equipment provided by\nPBS. However, they have been acquiring the equipment from PBS\xe2\x80\x99 contractor\n\n\n13\n   In standards for physical access controls systems published by the Government Smart Card\nInteragency Advisory Board (GSC-IAB), a challenge-response system is a permissible\nmethodology for contact cards. However, the GSC-IAB has not sanctioned using the challenge-\nresponse methodology on a contact-less card as it requires proprietary technology.\n\n\n                                          Page 10\n\x0cand subcontractor using multiple purchasing arrangements with inconsistent\npricing and terms.\n\nPBS began purchasing data capture stations through its task order that was\nawarded under the GSA Smart Card Contract and required PBS to pay a fee to\nFTS. As the regions needed to purchase the stations, the PBS project team\nbegan recommending that the regions use Federal Supply Schedule contracts to\nsave money. As such, Region 4 purchased a station citing a supply schedule\ncontract for Financial and Business Solutions14 held by the prime contractor for\nthe PBS task order and Region 1 purchased two stations citing a supply schedule\ncontract for General Purpose Commercial Information Technology Equipment15\nalso held by the prime contractor. However, these supply schedule contracts do\nnot include smart card equipment such as the data capture station and are out of\nscope. These acquisitions were within the dollar threshold for simplified\nacquisitions, which allows purchases based on a quotation without a contract in\nplace. This methodology was essentially used by Region 3, which cited no\ncontract with its payment.\n\nIn addition, the pricing and terms on these purchases have been inconsistent.\nThe PBS task order price for a data capture station is $4,667.0516, including\nlabor, set up, support, and training and the related travel costs are to be\nreimbursed at actual cost. Under a price quote from the prime contractor to PBS\non January 12, 2004, the regions could purchase additional enrollment stations at\nthe same price of $4,667.05 including labor, set up, support, and training.\nHowever, in March 2004, Region 1 purchased two stations from the prime\ncontractor at a total cost of $11,334 or $5,667 per unit and Region 3 received two\nstations from the subcontractor for the same price. According to the\nsubcontractor, the additional charge is for travel and labor related to setting up\nthe machine and training employees to use the station, although labor was\npreviously included in the base price of the station. In August 2004, the\nsubcontractor provided PBS with a new quotation that established a standard\nprice $4,667 per station and $2,000 charge for on site setup and configuration,\neffective through the end of fiscal year 2004. In the future, the costs for data\ncapture stations will increase more as the subcontractor is currently in the\nprocess of adding data capture stations to its Federal Supply Schedule contract\nat a price of $9,694.25.\n\nAccess Systems: The PBS task order did not include physical access control\nsystems. However, the PBS contractor team may have a competitive advantage\non these procurements due to knowledge of the GSA smart card technical\ncharacteristics and its role on the PBS task order.\n\n\n\n14\n   Contract Number GS-23F-0016J.\n15\n   Contract Number GS-35F-4338D.\n16\n   The original negotiated price was $3,067.05, but was increased through a modification to add a\nCustom Lighting Array for the equipment.\n\n\n                                            Page 11\n\x0cOnly PBS\xe2\x80\x99 contractors have full knowledge of the GSA smart card\xe2\x80\x99s technical\ncharacteristics and as a result, the competition on the regional procurements is\nbeing affected. For instance, when Region 1 procured access and control\nsystems for two of its buildings, there were only two bidders, the PBS prime\ncontractor and one competitor that had lost on the PBS task order. However, this\ncompetitor initially could not submit a proposal because it lacked technical\ninformation for the GSA card\xe2\x80\x99s data model. Eventually, GSA had to obtain that\nfrom the PBS contractor, so the competitor could submit a bid. Also, when\nRegion 3 was procuring an access system for its regional office building, this\nsame competitor complained because GSA was forwarding its questions relating\nto the technical aspects of the GSA card to PBS\xe2\x80\x99s subcontractor, who was also\ncompeting on the acquisition. Eventually the competitor declined to submit a\nproposal.\n\nLastly, the subcontractor has been working closely with the PBS project team to\nissue the GSA credentials and with the regions in setting up the initial equipment\nprovided by the PBS National Office. As such, the subcontractor\xe2\x80\x99s role on the\nPBS task order also creates the appearance of a competitive advantage. For\nexample, when Region 3 initiated a procurement to replace the card readers in its\nregional office building to make them compatible with the new GSA smart card, it\ndid not intend to hold a competition. The subcontractor on the PBS task order\nhad been involved in meetings between Region 3 and the PBS project team, and\nafter discussions with Region 3 about its future requirements, had been providing\nprice quotes to the Region. The region had initially planned to make the\nprocurement on a sole-source basis to the subcontractor through a Federal\nSupply Schedule contract. However, after receiving complaints, Region 3 held a\ncompetition. But as discussed above, the subcontractor, as GSA\xe2\x80\x99s technical\nexpert, fielded its competitor\xe2\x80\x99s technical questions.\n\nSince the PBS task order did not cover the full scope of GSA\xe2\x80\x99s needs, additional\nprocurements for smart card equipment, systems, and services will need to be\nmade. In making these procurements, GSA should ensure that these future\nprocurements comply with proper procurement methods, provide consistent\npricing and terms, and avoid limits on competition.\n\nThe Smart Card implementation will be impacted by recent developments.\n\nTwo recent developments, specifically the Presidential directive on common\nidentification standards for Federal employees and contractors and the Federal\nProtective Service\xe2\x80\x99s (FPS) smart card building security program, will affect the\ncurrent smart card implementation.\n\nOn August 27, 2004, a Homeland Security Presidential Directive17 was issued to\nprovide for a mandatory, Government-wide standard for secure and reliable\nforms of identification issued by the Federal Government to employees and\n\n17\n     HSPD-12.\n\n\n                                     Page 12\n\x0ccontractors that will be established within six months of the directive\xe2\x80\x99s date. This\ndirective has the potential for disrupting the PBS project by adding more\nrequirements over the issuance of the credentials as well as for their\nimplementation. For example, the Federal standard for secure and reliable forms\nof identification will require sound criteria for verifying an individual\xe2\x80\x99s identity. The\nrequirements to obtain a GSA credential may not meet this standard because, as\ndiscussed earlier, new GSA employees and contractors may be able to obtain the\nGSA credential without security or background checks. As all agencies are\nrequired to have a program in place to meet the standard, GSA may be required\nto tighten its controls over the credentials and adjust the implementation.\n\nIn addition, FPS is planning to implement a building security program using smart\ncards for federal facilities. FPS plans to include a central card management\nsystem that will be linked to agencies\xe2\x80\x99 human resources or payroll database and\nthat can immediately control access as cardholders enter or leave government\nemployment. The FPS system would also link the background clearance\ninvestigations process to the issuance of government identification to employees.\nFPS also plans to integrate the smart cards access systems into the existing\ncommunications and dispatch networks, called Mega Centers, that currently\nmonitor security at federal buildings and perform remote troubleshooting of\nperimeter building alarms 24 hours per day, 7 days per week.\n\nGSA\xe2\x80\x99s credentialing program and the FPS system have similar objectives and\nclearly overlap in some areas. Coordination is especially needed to not only\nensure compatibility with the GSA smart card implementation, but to also clarify\nthe responsibilities of both agencies with regard to the following:\n\n   \xe2\x80\xa2   Who has responsibility for access to GSA properties? According to the\n       PBS project team, FPS is responsible for the perimeter security of GSA\n       properties, while GSA controls who has the right to access those\n       properties. However, this may conflict with FPS\xe2\x80\x99s responsibility to develop\n       building access requirements.\n   \xe2\x80\xa2   Are smart card access systems defined as security equipment? According\n       to the Memorandum of Agreement regarding the transfer of FPS from GSA\n       to the Department of Homeland Security, control and custody of the\n       security equipment purchased and installed by GSA should be transferred\n       to FPS and FPS will be responsible for the maintenance, repair, and\n       replacement. In discussions, FPS personnel stated that smart card\n       access systems are considered security equipment. Conversely,\n       according to the PBS project team, the smart card readers are part of the\n       card management systems.\n   \xe2\x80\xa2   Will FPS make smart card access systems mandatory security\n       equipment? According to the Memorandum of Agreement between FPS\n       and GSA, GSA is responsible for funding security features and equipment\n       on new construction and major repair and alteration projects. However, on\n       minor repair and alterations projects, GSA only funds non-mandatory\n       security enhancements, while FPS is responsible for funding the purchase\n\n\n                                        Page 13\n\x0c          of mandatory security equipment. As such, if FPS makes smart card\n          systems mandatory for more Federal properties, it may be responsible for\n          funding these systems and relieving GSA of that burden.\n\nAlthough GSA and FPS have been working together at the local level to install\nbuilding access systems and have contact at high levels, PBS needs to start\ncoordinating with FPS on plans for smart card access to federal facilities to\nensure these issues are resolved.\n\nConclusion\n\nWhile PBS has been very focused on acquiring the smart card credentials and\nhas made progress in this area, there are significant gaps in the integration of\nsmart card technology into the agency\xe2\x80\x99s security process. The agency is buying\nsmart card technology without fully assessing what its needs are and without\nproviding the corresponding infrastructure to support these needs. The issuance\nof credentials will not result in a nationwide security system if each region\ndevelops its own controls and implements its own supporting infrastructure\nindependently of each other and organizations such as the CIO and CPO play\nonly tangential roles.\n\nThe Government Smart Card Handbook 18 recommends that, prior to acquiring\nsmart cards, an agency assess its needs based on such areas as its security\nrequirements, size and geographic distribution, need for interoperability and\navailable resources in order to establish the vision, goals and scope for\nimplementing the smart cards. It is critical that GSA understand its own specific\nrequirements and goals for the smart card credential. While it is important to\nconsider future requirements, it is equally important that the program not incur\nunneeded expense to obtain technologies that are beyond the agency\xe2\x80\x99s basic\nimplementation needs.\n\nThe vision, goals, and scope for implementing the smart card credential need to\nbe defined because it is this framework that guides all subsequent decisions\nabout the card including the card requirements, interoperability, and funding.\nWhile the card has additional functionalities for logical access to information\nsystems and other uses, it is currently only intended as a credential for physical\naccess to buildings. The card has some high-level security features yet how\nthese features fit into our overall security program or when they should be used\nhas not been defined. Additionally, regions will be responsible for determining\nhow the cards will be used and providing funding to support their decision. There\nare no assurances that the equipment necessary to activate the features or\nadditional security controls such as physical barriers integrated with card readers\nthat would make the features more formidable will be funded. Further, these\nfeatures appear to be a major factor in the selection of the contractor, as the\ntechnology for some features is not widespread.\n\n18\n     Issued by the GSA Office of Governmentwide Policy.\n\n\n                                             Page 14\n\x0cThe implementation of GSA\xe2\x80\x99s smart card credentials is facing an array of issues\nthat need to be addressed beginning at the agency level. To accomplish this,\nPBS needs to establish an integrated team to consider the options, scope,\nopportunities and impacts of the smart card program the agency develops. The\nteam should include individuals representing the major stakeholders in the\nagency\xe2\x80\x99s smart card credentials rather than relying solely on PBS personnel.\nPersonnel from the CIO, the CPO, FSS, FTS, and regional management are also\nessential for the team. Next, in order to achieve interoperability across other\nagencies, consideration must be given to the new requirements for a common\nidentification, consideration also needs to be given to the impact of the FPS\nsmart card initiative, and other work within the Federal smart card community.\nMoreover, arrangements or Memorandum of Understanding must be put in place\nif the costs of the card implementation are to be shared across agency\ndepartments, programs, or external agencies. In addition, the funding allocation\nformulas should be specified in interagency agreements when multiple programs\nor offices are to fund the card platform.\n\nTo help carry the smart card credential forward, PBS also needs to reestablish a\nphysical security function. The physical security function could act as the\nchampion for the smart card credential within the agency. However, its role\nshould extend beyond issuing of the smart card credential and include\ncoordinating the activities needed to implement comprehensive policies and\nprocedures to enhance the overall agency security as it relates to the smart card\nprogram especially with regard to identity management and physical access. Its\nrole could also include being the liaison with other Federal entities involved in\nbuilding security, such as FPS and the Interagency Security Committee.\n\nSmart card technology is a powerful enabling tool that can greatly improve the\neffectiveness and efficiency of the agency. A smart card credential can provide\nthe basis for new levels of trust, more effective physical access to buildings, and\nmore secure logical access to information systems with enhanced information\nassurance. With such systems, access to buildings and information systems can\nbe much faster for trusted entrants, while much more effective in preventing\nunauthorized access. To achieve these benefits, PBS will need to provide the\nleadership to accomplish the vision and goals for the implementation of the smart\ncard credentials within the agency.\n\nRecommendations\n\nWe recommend that the Commissioner of the Public Buildings Service:\n\n   1. Coordinate with other agency officials in the development of the vision,\n      goals, and scope for GSA\xe2\x80\x99s smart card implementation as part of the\n      agency\xe2\x80\x99s security protocol.\n         a. Include representatives from the major stakeholders such as the\n             CIO, CPO, and the regions.\n\n\n                                      Page 15\n\x0c          b. Establish an integrated project team to implement GSA\xe2\x80\x99s smart card\n             credential.\n\n   2. Use the vision, goals, and scope to reassess the smart card credential\n      requirements and determine the estimated funding needs for GSA\xe2\x80\x99s smart\n      card credential including the costs for implementation, operations, and\n      infrastructure.\n          a. Ensure the interoperability of the smart card credential and access\n              systems by adhering to the specifications and standards set by the\n              Federal community and avoid incorporating technology that limits\n              interoperability.\n          b. Coordinate with FPS regarding building security decisions, smart\n              card interoperability, and funding for the smart card infrastructure.\n          c. Establish a program to ensure compliance with the Federal\n              standard for secure and reliable forms of identification when it is\n              issued.\n\n   3. Reestablish a physical security function within the PBS organization.\n\n   4. Re-evaluate and improve the management controls related to smart cards\n      and issue additional detailed guidance as necessary.\n\n   5. Ensure smart card credential and physical access system procurements\n      comply with acquisition regulations and policies, including competition.\n\n\nManagement Controls\n\nThe management controls related to the smart card implementation are weak as\ndiscussed above.\n\n\nManagement Comments\n\nIn his January 7, 2005 response to the draft audit report (see Appendix A), the\nCommissioner of the Public Buildings Service (P) indicates concurrence with the\nreport recommendations.\n\n\n\n\n                                      Page 16\n\x0cAUDIT OF BUILDING ACCESS THROUGH SMART CARDS\n       REPORT NUMBER A040111/R/P/R05002\n\n            Management\xe2\x80\x99s Response\n\n\n\n\n                    A-1\n\x0cA-2\n\x0c             AUDIT OF BUILDING ACCESS THROUGH SMART CARDS\n                    REPORT NUMBER A040111/R/P/R05002\n\n\n                                        Report Distribution\n\n\n\nCommissioner, Public Buildings Service (P) .................................................... 3\n\n\nOffice of the Chief Financial Officer (B) ........................................................... 2\n\n\nAssistant Inspector General for Auditing (JA, JAO and JAS) ........................... 3\n\n\nAssistant Inspector General for Investigations (JI)........................................... 1\n\n\nBranch Chief, Audit Follow-up and Evaluation Branch (BECA)........................ 1\n\n\n\n\n                                                  B-1\n\x0c'